Cyber-Attack Detection on an Industrial Control System Testbed using Dynamic Watermarking
A Power Grid Application
G.W. van den Broek (TU Delft - Mechanical Engineering)
R. Ferrari – Mentor (TU Delft - Team Riccardo Ferrari)
T. Keijzer – Mentor (TU Delft - Team Riccardo Ferrari)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
An Industrial Control System (ICS) is used to monitor and control industrial processes and critical infrastructure, and is therefore crucial to modern society. This makes them attractive targets for malicious cyber-attacks, which have become more advanced and abundant in recent history. To properly defend ICSs from these cyber-attacks, appropriate cyber-defensive mechanisms should be continuously designed and updated, cyber-attack detection mechanisms included. These mechanisms should undergo sufficient testing before being implemented in actual ICSs to minimise unforeseen consequences. Existing literature indicates that Dynamic Multiplicative Watermarking (DMWM) is a promising form of cyber-attack detection, which could improve overall detection performance. Thus far, this technique has not yet been applied to Automatic Generation Control (AGC) (a prominent form of Load Frequency Control (LFC) in power grids) to detect data integrity attacks (specifically scaling and replay attacks).
Ergo, this research aims at testing the performance of DMWM against data integrity attacks on AGC. To perform attack detection, a Luenberger observer it utilised. This observer generates a residual, which is compared to a robustly designed threshold. For the purpose of adequate testing, the HILDA (Hardware-In-the-Loop Detection of Attacks) testbed is designed and constructed. By using this testbed, more realistic scenarios can be simulated than with regular desktop simulations. After verifying the correct construction of the testbed, the DMWM performance is examined both on a desktop simulation environment using MATLAB & Simulink, and on the HILDA testbed. It is shown that the addition of DMWM increases the detection performance in the context of both scaling and replay attacks. For replay attacks, this performance increases notably, while for scaling attacks the improvement is more modest. It is shown that, overall, the attacks are detected more quickly when simulated on the HILDA testbed compared to simulations performed on the MATLAB & Simulink environment. On the other hand, the overall detection ratio was better when simulated on the MATLAB & Simulink environment. This discrepancy in detection performance demonstrates the added value of the HILDA testbed.